Patent Grant
9077536
This application claims priority from Korean Patent Application No. 10-2011-0052389, filed on May 31, 2011, in the Korean Intellectual Property Office, the disclosure of which is incorporated herein in its entirety by reference.
1. Field
Exemplary embodiments relate to a method and apparatus for solving a discrete logarithm problem, and more particularly, to a method and apparatus for efficiently solving a discrete logarithm problem that can be widely used in a public key encryption system using a pre-computation table.
2. Description of the Related Art
A public key encryption system calculates a public key and a secret key by using a one-way function that is difficult to solve mathematically. The public key is publicized for anyone to access, whereas the secret key is kept and may be accessed only by users who keep the secret key. Thus, a user who has the publicized public key of the other party can secretly communicate with the other party.
The most common problem in the public key encryption system is a discrete logarithm problem. The discrete logarithm problem defined on a finite field will now be briefly described.
A cyclic group G is a set consisting of remainders in division of a finite field Zp by a prime p under multiplication modulus. More specifically, all elements of the finite field Zp can be generated by iterative multiplication. If g is a generator of the cyclic group G of order q of a multiplication group Zp* of the finite field Zp, an element of the cyclic group G is in the form of gk mod p for a number k (0≦k<(order of G)).
Therefore, the discrete logarithm problem defined in the finite field Zp is to find the number k satisfying y=gk mod p when an element y is given. This is known as a problem that is difficult to be solved computationally with respect to a sufficiently large p. Thus, public key encryption systems of various forms may be designed by using k as a user's secret key and using y=gk mod p as a public key corresponding to the user's secret key k.
The exemplary embodiments provide a method and apparatus for efficiently solving a discrete logarithm problem using a pre-computation table, and a method and apparatus for generating the pre-computation table.
According to an aspect of the exemplary embodiments, there is provided a method of computing a discrete logarithm using a pre-computation table, the method comprising: setting p−1 and q−1 so that each p−1 and q−1 has at least one prime factor larger than B and N=pq is used as modulus and both p and q are primes; generating the pre-computation table consisting of chains of function values obtained by applying an iterating function to a predetermined number of initial values having a generator of the cyclic group as a base and having different exponents; and if a function value obtained by applying the iterating function to a value having a target element as a base and having an exponent is identical to a function value stored in the pre-computation table, computing the discrete logarithm of the target element by using exponent information of the two function values
According to another aspect of the exemplary embodiments, there is provided an apparatus for computing a discrete logarithm, the apparatus comprising: a pre-computation table consisting of some points of chains of function values obtained by applying an iterating function to a predetermined number of initial values having a generator of the cyclic group as a base and having different exponents; and a discrete logarithm calculating unit for setting p−1 and q−1 as multiplications of a prime factor of a predetermined number of B-smooth numbers and other prime factors smaller than a B/2-smooth number in a cyclic group having N=pq (where p and q are prime numbers) as modulo, and, if a function value obtained by applying the iterating function to a value having a target element as a base and having an exponent is identical to a function value stored in the pre-computation table, computing the discrete logarithm of the target element using exponent information of the two function values.
According to another aspect of the exemplary embodiments, there is provided a method of generating a pre-computation table used to compute a discrete logarithm, the method comprising: setting a predetermined number of initial values having a generator of a cyclic group as a base and having different exponents; iteratively performing a process of obtaining function values by applying an iterating function to the initial values until the function values correspond to previously set distinguished points; and storing the function values corresponding to the previously set distinguished points and exponents of the function values in the pre-computation table.
According to another aspect of the exemplary embodiments, there is provided an apparatus for generating a pre-computation table, the apparatus comprising: an initial value generating unit for setting a predetermined number of initial values having a generator of a cyclic group as a base and having different exponents; a function value calculating unit for obtaining function values by applying an iterating function to the initial values; a distinguished point determining unit for, if the function values correspond to previously set distinguished points, storing the function values and exponents of the function values in the pre-computation table
The above and other aspects will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings in which:
The method and apparatus for efficiently solving a discrete logarithm problem using a pre-computation table according to the exemplary embodiments will now be described more fully with reference to the accompanying drawings, in which exemplary embodiments are shown.
Referring to
The initial values are values having predetermined different numbers that use a generator g of the cyclic group G as a base and have exponents r1, r2, r3, . . . . The pre-computation table 100 may store a distinguished point (DP) rather than all elements of a chain. In this regard, the DP and exponent information “e” may be stored together. The DP may be set as a value exhibiting a predetermined pattern, for example, exhibiting 0 as a predetermined number of most significant bits.
The iterating function used in the pre-computation table 100 is a function where resultant values obtained by iterative applications of the elements gr1, gr2, gr3, . . . of the finite cyclic group G are cycled, for example, a related art r-adding walk iterating function.
More specifically, with regard to a related art Pollard rho algorithm, if a function is iteratively applied to finite group elements, values obtained after some steps of iterating applications are consistent with previously generated values, and thus a chain structure in which function values are cycled is implemented. That is, a function F:G×Zq×Zq→G×Zq×Zq is defined according to Equation 1 below.
F(gi,ai,bi)=(gi+1,ai+1,bi+1) [Equation 1]
In this regard, gi=gaihbi (all i>0).
If gi=gj, a discrete logarithm may be found by using a relation of ai+bix≡aj+bjx mod q.
The r-adding walk iterating function is defined to divide the finite cyclic group G into sub-groups r of the same size, and effectively compute an index function s:G×Zq×Zq→G×Zq×Zq as a pre-image uniform. Then, an r pair (ui,vi)εZq×Zq is selected, and an r multiplier Mi for guihvi is set.
The r-adding walk iterating function Fr:G×Zq×Zq→G×Zq×Zq is defined according to Equation 2 below.
Fr(y,a,b)=(y·Ms(y),a+us(y),b+vs(y)) [Equation 2]
In this regard, y=gahb.
Since the pre-computation table 100 must be previously computed when a target element h is not given, the r-adding walk whose multipliers have the form guih0 may be used.
A time taken to generate the pre-computation table 100 is a multiplication (i.e., M*T) of a number M of each chain and a time T taken for an iterating function of each chain to reach the DP. The greater the size of the pre-computation table 100, the shorter the time taken to solve the discrete logarithm problem. Also, the greater the size of the pre-computation table 100, the greater the size of a memory required, as well as the longer the time taken to generate the pre-computation table 100. Thus, the size of the pre-computation table 100 is determined with respect to the time taken to solve the discrete logarithm problem.
Referring to
A function calculating unit 320 calculates function values by applying an iterating function to the initial values (operation S210). A DP determining unit 330 determines whether the function value calculated by the function calculating unit 320 is DP (operation S220), and, if the function value is not DP, calculates another function value by applying the iterating function to the previous function value through the function calculating unit 320.
If the function value calculated by the function calculating unit 320 reaches a DP (operation S220), the DP determining unit 330 determines whether the function value is stored in the pre-computation table, if the function value is previously stored in the pre-computation table, discards the function value, and, if the function value is not stored in the pre-computation table, stores the function value and exponent information “e” in the pre-computation table.
In a case where a value of the iterating function may not reach a DP, an infinite loop iterating function may be applied. To prevent this, the function calculating unit 320 previously sets a number of applications of the iterating function, and, if the iterating function is computed exceeding the set number, discards a corresponding initial value.
Referring to
N=p*q
p−1=2p1p2 . . . pr
q−1=2q1q2 . . . qs [Equation 3]
In this regard, prime numbers p1, p2, q1, q2 are larger than B and other numbers are smaller than √{square root over (B)}, and B is 80 bits.
Although prime numbers each have two numbers larger than B with respect to p−1 and q−1 in the present exemplary embodiment, they may have more than two numbers larger than B.
If the target element y is given, the discrete logarithm calculating unit 420 changes the discrete logarithm problem y=gx mod N according to Equation 4 below in order to solve the discrete logarithm problem y=gx mod N.
In this regard, pi and qi are prime numbers respectively consisting of p−1 and q−1 of Equation 4 above.
The discrete logarithm calculating unit 420 sets a value having
of Equation 4 above as a base, and having an exponent as an initial value, and applies an iterating function to the initial value with respect to the prime number pi (operation S510). If a value of the iterating function for y′ reaches a DP used to generate the pre-computation table 100 of
x mod pi,x mod qi [Equation 5]
After the result is obtained from Equation 5 regarding all prime numbers pi and qi consisting of p−1 and q−1, the discrete logarithm calculating unit 420 applies a Chinese remainder theorem (CRT) to all resultant values and computes the discrete logarithm with respect to the target function y according to Equation 6 below (operation S540).
In this regard, Φ(N)=(p−1)(q−1)
The exemplary embodiments may be applied to a process of generating a secret key in ID-based encryption. For example, in the ID-based encryption using ID information of a terminal as a public key, the apparatus 400 for computing the discrete logarithm may act as a key sever that generates a secret key corresponding to the public key and transmits the secret key to the terminal.
According to the above exemplary embodiments, a time taken to solve a discrete logarithm problem can be reduced by using multiplications of prime factors including a predetermined number of numbers larger than B as parameters of a discrete logarithm group. The time can also be reduced by generating a pre-computation table before the discrete logarithm problem is given.
The one or more exemplary embodiments may be embodied as a computer readable recording medium on which commands, e.g., a program module, that may be executed by a computer are recorded. The computer readable recording medium may be any of media that may be accessed by a computer, e.g., a volatile medium, a non-volatile medium, a detachable medium, and a non-detachable medium. A computer readable recording medium can be transitory or non-transitory. Also, the computer readable medium may be a computer storage medium or a communication medium. Examples of the computer storage medium may include a volatile medium, a non-volatile medium, a detachable medium, and a non-detachable medium that employs a method or technology for storing computer readable commands, data structures, program modules, or other data. In general, examples of the communication medium may store computer readable commands, data structures, program modules, data contained in a modulated data signal, and other transmission mechanisms (e.g., transitory medium). The communication medium may be any information transfer media.
While the application has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the exemplary embodiments as defined by the following claims.
| Number | Date | Country | Kind |
|---|---|---|---|
| 10-2011-0052389 | May 2011 | KR | national |
| Number | Name | Date | Kind |
|---|---|---|---|
| 5854759 | Kaliski et al. | Dec 1998 | A |
| 5987131 | Clapp | Nov 1999 | A |
| 20070071237 | Brown et al. | Mar 2007 | A1 |
| 20090006511 | Ozturk et al. | Jan 2009 | A1 |
| 20120311005 | Cheon et al. | Dec 2012 | A1 |
| 20130064367 | Struik et al. | Mar 2013 | A1 |
| Number | Date | Country |
|---|---|---|
| 2010539633 | Dec 2010 | JP |
| 20030028746 | Apr 2003 | KR |
| 2009039316 | Mar 2009 | WO |
| Entry |
|---|
| Communication dated Apr. 10, 2012 issued by the Korean Intellectual Property Office in Korean Application No. 10-2011-0052389. |
| A. Miyaji, et al., “New explicit conditions of elliptic curve traces for FR-reduction”, TIEICE: IEICE Trans. on Communications/Electronics/Information and Systems E84-A (2001) 1234-1243. |
| C. P. Schnorr et al., “A Monte Carlo factoring algorithm with linear storage”, Mathematics of Computation 4:3 (1984) 289-311. |
| D. E. Knuth, The art of computer programming—Seminumerical algorithms,—vol. 2, Addison-wesley publishing company, second edition, 1981, 12 pages. |
| E. Teske, “On random walks for Pollard's rho method”, Mathematics of Computation 70 (2001) 809-825. |
| E. Teske, “Speeding up Pollard's rho method for computing discrete logarithms”, in: J. Buhler (Ed.), Algorithmic Number Theory ,Third International Symposium, ANTS-III, LNCS 1423, Springer, 1998, pp. 541-554. |
| F. Kuhn, et al., “Random walks revisited: extensions of Pollard's rho algorithm for computing multiple discrete logarithms”, in: S. Vaudenay, A. M. Youssef (Eds.), Selected Areas in Cryptography 2001. LNCS 2259, Springer, 2001, pp. 212-229. |
| G. Nivasch, “Cycle detection using a stack”, Information Processing Letters 90 (2004) 135-140. |
| J. H. Cheon, et al., Speeding up the Pollard rho method on prime fields, in: J. Pieprzyk (Ed.), Ad-vances in Cryptology—ASI-ACRYPT 2008, LNCS 5350, Springer, 2008, pp. 471-488. |
| J. Hong, et al., “A comparison of cryptanalytic tradeoff algorithms”, Cryptology ePrint Archive, Report 2010/176, 2010, 52 pages. |
| J. M. Pollard, “Theorems of factorization and primality testing”, Cambridge Philosophical Society 76 (1974) 521-528. |
| J. Sattler, et al., Generating random walks in groups, Ann. Univ. Sci. Budapest. Sect. Comput. 6 (1985) 65-79. |
| J.-J. Quisquater, et al., “How easy is collision search. New results and applications to DES”, in: G. Brassard (Ed.), Advances in Cryptology—CRYPT°, LNCS 435, Springer, 1989, pp. 408-413. |
| K. G. Paterson, et al., “On the relations between non-interactive key distribution, identity-based encryption and trapdoor discrete log groups”, Designs, Codes and Cryptography 52 (2009) 219-241. |
| M. J. Wiener et al., “Faster attacks on elliptic curve cryptosystems”, in: Selected Areas in Cryptography '98, vol. 1556 of LNCS, Springer, 1999, pp. 190-200. |
| M. Kim,et al., “Subset-restricted random walks for Pollard rho method on Fp”., in: Public Key Cryptography 2009, vol. 544:3 of LNCS, Springer, 2009, pp. 54-67. |
| N. Koblitz, “CM-curves with good cryptographic properties”, in: J. Feigenbaum (Ed.), Advances in Cryptology—CRYPTO '91,—vol. 576 of LNCS, Springer, 1992, pp. 279-287. |
| National Institute of Standards and Technology, “Digital signature standard (DSS)”, 2009. FIPS PUB 186-3, 130 pages. |
| P. C. van Oorschot, et al., “Parallel collision search with cryptanalytic applications”, Journal of Cryptology 12 (1999) 1-28. |
| R. P. Brent, “An improved Monte Carlo factorization algorithm”, BIT 20 (1980) 176-184. |
| R. Sedgewick, et al., A. C. Yao, The complexity of finding cycles in periodic functions, SIAM Journal on Computing 11 (1982) 376-390. |
| R.. Gallant, et al., “Improving the parallelized Pollard lambda search on anomalous binary curves”, Mathematics of Computation 69 (2000) 1699-1705. |
| S. C. Pohlig, et al., “An improved algorithm for computing logarithms over GF(p) and its cryptographic significance”, IEEE Transactions on Information Theory 24 (1978) 106-110. |
| U. M. Maurer et al., “Non-interactive public-key cryptography”, in: D. W. Davies (Ed.), Advances in Cryptology—EUROCRYPT '91. LNCS 547, Springer, 1991, pp. 498-507. |
| V. Shoup, “NTL: A library for doing number theory”, ver 5.5, 2009. http://www.shoup.net/rit1/, 1 page. |
| Y. Hitchcock, et al., The efficiency of solving multiple discrete logarithm problems and the implications for the security of fixed elliptic curves, International Journal of Information Security 3 (2004) 86-98. |
| D. Shanks, “Class Number, A Theory of Factorization, and Genera”, Symposia in Pure Mathematics, vol. 20, Proceedings of the 1969 Summer Institute on Number Theory: Analytic Number Theory, Diophantine Problems, and Algebraic Number Theory, Jul. 7-Aug. 1, 1969, published 1971, previously presented, pp. 415-440. |
| Number | Date | Country | |
|---|---|---|---|
| 20120311005 A1 | Dec 2012 | US |
